Comment by rdl
8 years ago
I don't think he had to, but he got an answer in minutes. I don't think that's the part to be worried about.
As for what you should do: it sounds like the impact is relatively low. I'd personally change easily-changed secrets which go over the session, and potentially externally facing customer passwords (yes in enterprise, maybe not in consumer).
(I don't have any insider info on this breach, though, but I read both posts and know how the system works.)
Sounds bad to me...
"We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!)."
The trouble is you have no way to know if someone discovered this earlier, and harvested info for a long time.
Or, how much harvested info from your site might be in a Google cache for someone else's site.
Does 1Password really send anything meaningful in their API queries, or is it encrypted separately and then just sent over HTTPS?
For what it's worth, I've posted this question in 1Password's support forum, which is frequented by 1Password staff: https://discussions.agilebits.com/discussion/75711/cloudblee...
2 replies →
According to their blog post about this issue they use multiple levels of encryption to guard against compromise at the SSL/TLS layer - https://blog.agilebits.com/2017/02/23/three-layers-of-encryp...
Read Tavis' comments. He disagrees with you regarding the severity. This is a big f--king deal!
OK, "severe in impact", but there isn't much victims can actually do besides try to invalidate as much data which had potentially transited Cloudflare as possible.